A sophisticated Threat Intelligence capability can provide real facts, context and inform an organization on the MITRE ATT&CK tactics and techniques on which to focus.

Security Operations and DFIR

Resilient Playbook and automated actions for Threat Hunting and DFIR

March 31, 2019

Some initial triage task instructions are listed under the Stage 1 Analysis phase of the incident which are processed by the Security Operations team. Once completed, the incident is handed off to the Threat Hunting team for scoping the attack and developing further intelligence. As you can see, all the TTP task instructions regarding APT28 have been loaded into the Stage 2 Analysis phase of this playbook...

Threat Hunting – a relatively new discipline in Cyber defense

February 28, 2019

The idea behind Threat Hunting is to shift from a reactive IR model to a proactive approach. In Security Operations, a detection team hands off an alert to an Incident Response team which validates the incident and responds to it in case it’s a true incident. The goal with Threat Hunting is to proactively engage a team and hunt for known adversaries including their applied TTPs in an organization’s networked computing environment...

Resilient Workflows and Playbooks

January 3, 2019

How we are implementing the individual TTP detection and mitigation instructions with workflows and playbooks. For this, we will firstly integrate with additional Cyber Security systems and tools and secondly we will extend our solution draft in building Stage 1/2 Analysis capabilities. The goal is to help Security Operations and DFIR in streamlining deep security and forensic analysis, drastically reducing analysis and response time as well as understanding and keeping track of the full scope and complete impact of an attack...

Implementation – STIX knowledge and relevance graph – steps 16-21

December 28, 2018

In order to generate the knowledge graph we are first checking whether a related Threat Actor has been provided as part of the CTI, and if yes, we are mapping it out to the MITRE Intrusion Set. Next we are searching recursively what tools and malware are utilized by that specific Intrusion Set. Then we are creating a STIX file that includes all the identified Tool SDOs and Malware SDOs along with the Intrusion Set SDO, all provided by MITRE. Next, we are further...

Implementation – Related IP Addresses – steps 11-15

December 23, 2018

Now we want to take advantage of our actionable CTI. The goal is to verify the related IP addresses of the two RF matched destination IP addresses 81.7.11.83 and 93.184.220.29 that have been communicated as part of their corresponding CTI. We are verifying all related IP addresses against the QRadar Ariel database and are only considering the ones that have a local relevance, i.e. local-to-remote network traffic that matched against a related IP address. Finally we are taking those matching related IP addresses into the Resilient Incident Artifacts tab...

Implementation – STIX bundle – steps 7-10

December 21, 2018

As part of this solution draft we are expressing the CTI provided IOCs in STIX Indicator SDOs and their local relevance in STIX Observed Data SDOs. We are further generating Sighting SROs in order to visualize that we sighted IOCs in the local context. We are also leveraging the Identity SDO in order to specify Recorded Future as an organization that we are receiving indicators from and myself – Rukhsar Khan, Security Analyst – as an individual. In order to put the Identity SDO into a relationship with other SDOs we are making use of the Relationship SRO. For generating a visualized graph...

Implementation – Overview – steps 0-6

December 17, 2018

Our core implementation of the MITRE Att&ck framework is performed in the IBM Resilient SOAR platform. In order to converge Security Operations and DFIR in this single platform we have defined two stages, namely Stage 1 Analysis and Stage 2 Analysis. Stage 1 Analysis corresponds to a Secops Level1 and Level2 team whereas Stage 2 Analysis applies to a DFIR team....

Solution Draft

December 13, 2018

Based on the experience we’ve made in the last decade with dozens of large customers and new emerged market technologies like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), sophisticated CTI and advanced tools and products for computer and network forensics, our claim is, that Security Operations and DFIR need to converge. Both disciplines have strengths and weaknesses, so the goal should be to merge the strengths and shun the weaknesses of both in a single platform. And what would be the most suitable for this other than a SOAR platform...

Current Security Operations and DFIR problems

December 11, 2018

If you give an attacker 100 days of time to move freely in your environment after he has compromised it the evidence is fairly strong that your organization is pretty bad at Security Operations. This is what currently happens in a lot of organizations. According to a Forrester report the median breach confirmation time in 2017 was 101 days. So basically it took 101 days for Security Operations to confirm a breach and hand it off to the DFIR team...

Cyber attackers are constantly becoming more and more subtle while Security Operations (SOC, CERT and CSIRT) continues to scratch on the surface. It doesn’t matter whether that’s a large enterprise, bank or government institution. The evidence is fairly strong that most organizations are pretty bad at security operations . Why are there so many global high-profile breaches? Why can organizations today not adequately detect and respond to breaches while they have spent millions in their Cyber Security defense? You don’t have to be a genius to figure out that there must be vital gaps in the defense ecosystem of organizations. But how to identify these gaps and what course of actions are required?...

with commercial and non-commercial products and tools from IBM, Recorded Future, Carbon Black, A10 Networks, Volatility and more . . .

This class is about Incident Response in a post-compromised environment.

In this class we will show you the major reasons why Security Operations is currently doing bad and what is required within Security Operations in order to produce high value results that can be consumed by a Threat Hunting and Forensic team. We will also focus on how to streamline security analysis, starting off with the initial triage within Security Operations to Threat Hunting to Forensics in case of an advanced targeted attack by quickly forming up a defense team that is able to collaborate directly from within IBM Resilient as the central hub for Incident Response.

The goal is to rapidly identify and respond to advanced adversaries that have gained a foothold in a compromised environment (post-compromise). The initial triage will be conducted by the Security Operations team (L1) which will hand-off valuable results to the Threat Hunting team (L2) which will in turn produce results that will be consumed by the DFIR team (L3) for a deep dive forensic analysis focusing on a few affected systems out of hundreds or thousands of systems... Read more